It’s the start of a new year and time to review all the passwords you use. I was prompted to do this by an incident where I think an account of mine was hacked. Unfortunately we all have to use passwords to get into our computers, smartphones, tablets and websites we use. Security experts are working on better authentication systems using biometrics, open authentication systems like OAuth, OpenID and others, but widespread adoption is still years away. For the moment we are stuck with our passwords.
One of the biggest security threats to companies in 2013 is default or weak passwords. In the past year, about 90 percent of successful data breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential. One egregious incident was the hacking of Mat Honen last year that exploited social engineering and poor password recovery policies. With a little ingenuity people can guess weak passwords, especially when you use a default password, like “admin” or something simple like “123456”.
Many companies have policies requiring password changes every 60, 90 or 120 days. This is common for internal user passwords, but may not be that common for system accounts on websites, servers and printers. It also may not be common for online services and SaaS applications.
As one of your New Years tasks, I suggest you change all your passwords. This includes business and personal. It’s a good idea to review those systems you use everyday and those you rarely use. My guess is you’ve signed up for dozens of accounts you never use and now is a good time to take inventory. Look at all the end of year emails you got from companies thanking your for something or other. You might have an account there with one of your most used passwords. If you still use the account, change the password. If you don’t use it, delete the account.
Here are a few tips for passwords:
- Don’t use a simple word or phrase, like password or 123456
- Don’t use a word in the dictionary, since dictionary attacks are the most common form of hacking
- Use at least 14 characters or more; this makes it much harder to crack
- Use a phrase or sentence that is easy to remember, like a movie quote or some random words, and add a few symbols and numbers to it
- Use combinations of upper & lower case letters, numbers and symbols in your password
- Take your base password and create variations on it for other sites or systems
- Don’t reuse your password on important systems
Here’s an example:
- I start with a simple phrase: myfirstcarwasavw
- Add a model year to it yields: myfirstcarwasa1972vw
- Put a symbol in there and you have: myfirstcarwasa1972vw$
- Vary it by capitalizing some letters and you have: myfirstcarwasa1972VW$
You can use variations on this for your different websites and systems. Sometimes it’s just as simple to create a simple phrase you will remember and pad it with a symbol or number. Make sure it’s not something easily guessed by someone who surfs for your name on Google or Facebook.
There is no perfect system for passwords, but the longer the better and the more random the better. Go through some very early spring cleaning and change all your passwords. It’s well worth the time and effort to protect yourself from identity theft and information leaks.
Photo credit Magnus D